This patchset introduces safe dynamic LSM support. These are currentlynot unloadable, until we figure out a use case that needs that. Addingan unload hook is trivial given the way the patch is written.

This exposes a second mechanism of loading hooks which are in modules.These hooks are behind static keys, so they should come at low performanceoverhead. The built-in hook heads are read-only, whereas the dynamic hooksare mutable.

Not all hooks can be loaded into. Some hooks are blacklisted, and thereforetrying to load a module which plugs into those hooks will fail.

One of the big benefits with loadable security modules is to help with"unknown unknowns". Although, livepatch is excellent, sometimes, asurgical LSM is simpler.